qmailAdmin fails to properly handle the "PATH_INFO" variable in qmailadmin.c. The PATH_INFO is a standard CGI environment variable filled with user supplied data.

Impact

A remote attacker could exploit this vulnerability by sending qmailAdmin a maliciously crafted URL that could lead to the execution of arbitrary code with the permissions of the user running qmailAdmin.